Name: CISO Playbook: Best Performing Strategies to Manage Cloud Risk
Uploaded: 2025-04-22T20:30:36.868Z
Duration: 30 min 5 s
Description: CISO Playbook: Best Performing Strategies to Manage Cloud Risk

Transcript for "CISO Playbook: Best Performing Strategies to Manage Cloud Risk": Hey. Hello, everybody. Thank you so much for joining us today, and welcome to another session in our Wiz CSO webinar series. I'm Sriya. I'm a field CTO at Wiz, and I'll be monitoring or I'll be moderating today's session. I'm joined by John, global director of cloud security at McDonald's. And over the twenty next twenty five minutes, we'll get into what it really looks like to manage cloud cloud security risk at scale, how John and his team think about visibility, prioritization, and enabling the business, all to really do that, to manage cloud risk. We'll leave a few minutes at the end of this q and a for q and a. So if anything comes to mind as we go, drop your questions or thoughts in the chat. We're keeping an eye on it. And, rather than listing out John's resume, I'll let him introduce himself and kick off. Thanks for having me. My name is John Herron. I'm a global director of, cloud security here at McDonald's. An interesting fact that maybe all of you can appreciate. So global, cloud security at McDonald's sits within the technology infrastructure and operations department. We actually sit outside of cybersecurity. An interesting fact there is that most of my peers in similar roles in other organizations have, trouble getting buy in, and adoption for cyber initiatives inside infrastructure and operations teams. Me being embedded my team being embedded within cloud infrastructure ops, gives us a a leg up in in this case since we're the ones driving and implementing best practices for cloud security. So, looking forward to discussing this with you all, and, Yeah. I'm excited to be here. Thank you. Awesome. Thanks, John. And to kick us off, first question here. When it comes to managing cloud risk at McDonald's, what would you say are the biggest challenges you and your team are up against? Yeah. So I guess the first things that come to mind for me is, the industry wide, there are, definitely issues with observability, visibility, different types of risks, the compounding factors of of different risks as they as they add up, rapidly changing environments. Maybe you have one cloud. Maybe you have two. Maybe you have three. There's also maturity of the consumers of your platforms, your your clouds. Are they, you know, using it in a standardized approach? All of these things compound to make, our jobs quite difficult in in securing cloud. And a couple examples just to kinda get, get you thinking. So vulnerability management. If you have a, team that's deploying through ClickOps and they're deploying static resources, you've got one team that's doing software patching, and you've got another team that's doing the actual OS patching. But if you take that same approach and you have a pipeline, that deployed asset, and it's an ephemeral asset, and, you know, the the the whole model of vulnerability management changes, you're under you're updating in a hardened image. You're deploying that image within your your Terraform, your, and then refreshing nodes in order to make sure that those apply. Same problems come from incident response processes. If you have a virtual machine, and that virtual machine needs to be quarantined, well, you add a security group with your configurations for your tooling can, access it, but nothing else can. But if you do that within a Kubernetes cluster and, a node, you know, becomes unhealthy because it can't reach the Internet anymore, you know, therefore, you've you've just potentially lost some, significant data. So we face a lot of challenges. Hopefully, that gives an idea of of, the with the challenges that we're, we're working through here. Definitely. And, I think that approach makes a lot of sense as well, especially using different maturity levels across those teams. Right? But what strategies are you putting in place in order to tackle those challenges? Sure. So we're we're tackling this in a couple different approaches. There's a organizational alignment and visibility aspect. There's a driving standardization aspect. And then there's, you know, how do you scale your your, value beyond what your team and your capacity allows for? So from a organizational alignment perspective, you know, if you're lucky enough to be able to drive top down, your leadership's bought in like it is here at McDonald's, to security outcomes, and you're able to drive bottom up bottom up through, grassroots approaches or through, you know, tactical, reporting and and meet you know, meetings with those those, technical teams, then then you're in a great spot. What's what's interesting is if you have reporting at both of those layers and those reports are, conflicting with each other. Let's say what you're driving at tactically with, you know, with the application and product teams and what your, leadership and executive team is is seeing from a report perspective, what what can happen there is you get a breakdown of communication. The communication turns political rather than technical and how we're, you know, mitigating risk. You get finger pointing of, well, I thought, you know, the cloud ops team was patching that or I thought, you know, I thought the application team was was doing that. And so really having symbiosis between, the reports that you're sharing at the working team level, and then the reports that you're sharing at the executive level level, making sure that, the outcomes you're driving at both match and that the the tackle tactical teams can discuss the value add activities that they're driving, from an organizational alignment perspective. From a standardization perspective, this one, I would focus on a a couple different things. So the first one is around how you're implementing guardrails, like a control tower, within your cloud platforms. If you have a guardrail that's deployed at a platform level, which is definitely a must have, but that's all you have, then you have a developer poor experience. So let's say a developer deploys wants to deploy a website, and that website happens to use a public history bucket for their static content. And that poor developer is just trying their darndest to deploy this asset, and it just keeps getting blocked or it keeps getting overturned with your automated responses. You know, that's a developer poor experience, but you are blocking a potentially risky configuration. So the next phase is, you know, making sure that you have pipeline enforcement, and that pipeline, you know, the pipeline controls do have have parity with your platform controls. Now you're warning that developer early on in their design, life cycle that they can't utilize this. They can't utilize this configuration. And to take it a step further, taking into account path of least resistance, so how you're enabling application teams to move more quickly. You know, can you cover off on fifty, sixty, 70 percent of of typical use cases? Design templates within your, Terraform modules so that they can easily adopt these. And that leaves your teams, your platform, your DevOps teams with more capacity to drive down, risk in those the odd odd odds and end use cases, like the twenty, thirty, 40 percent that come through. And then that third item, which was how do you expand beyond what your team capacity allows for, is where you get into, like, the security guardians, security champion, area. So taking a grassroots root approach, making sure that you're, selecting folks throughout the organization that may have an interest in security. Maybe they they wanna break through and and break into a security role. Maybe they're, impacted by security decisions, you know, late in the life cycle of of their application, and they want to minimize those, those impacts going forward. So building that relationship, giving them training, giving them the opportunity to connect directly with resources within cybersecurity, reward and recognize them. What what we found is that when we've engaged, folks throughout the organization in this manner, they start having security discussions without us present, and they're having those, those discussions in daily scrum calls. They're having those discussions in, design calls, where, you know, security may or may not be present. So we've seen some, some amazing growth and and, risk reduction, through those those programs as well. That's awesome that you've been able to lay that foundation and use those strategies around getting visibility and creating that standardization and security security champions program in motion. Once you have this foundation, how do you make sure that risks are being prioritized in the right way, especially when you have that pressure to accelerate cloud adoption and that is so constant? Yes. I have to remind myself often that we are enabling the business. You know, IT, cybersecurity doesn't exist without the business, you know, business, being successful. Cybersecurity is also a sales gig. At the end of the day, we have to sell our outcomes, and we have to make sure that the business understands, their risk in relation to their risk tolerances, but also where it makes the most sense to, you know, to to take and accept risk where where and where it doesn't. Right? So from a quantification of risk, when when somebody brings up a, hey. There's this new cloud service we wanna utilize or, hey. There's this new cloud platform we wanna utilize, you know, very big difference there. We talk about, risk in short term and long term. So from immediate risk, if you are, trying to get a service enabled without any sort of review, guardrails, or a temptation for, you know, enabling teams to adopt more quickly and more effectively, You know, we're talking about potential, exposure, misconfigurations, and some significant brand risk, depending on the the contextual data associated with that request. But there's also longer term risks as well. So think post implementation. You're maybe a year from when you implemented and you didn't harden that underlying service. As you know from an SDLC perspective, if you catch something in planning, it costs a dollar. If you catch something in development, it's $10. In QA, it's a hundred dollars. In production, it's a thousand, as as an example. You know, you you're catching and trying to retrofit security has, significant cost impacts both on the time it takes to implement those those controls after the fact, the complexity of doing so, and also from the potential disruption. So what this comes, you know, full circle back to, I mentioned, cyber as a sales gig in most cases. It's making sure that you've built the relationships with, your, your business teams, your IT teams that you're supporting, making sure they have awareness of what it takes to enable a new service, what it takes to enable a new platform and secure it appropriately, and then what the benefits are for them in doing so. Worst case scenario, you leverage the existing teams, within your, you know, within your department, whether it's, information risk management, enterprise risk management, red teaming, whatever the case may be. Utilize your partners, if you, are broaching a tough subject with a very determined, business team. I love that around, you know, saying that cybersecurity is like a sales gig. Right? Because we want to have those partnerships with our dev teams, and we want to be able to sell the value and the impact that we're making. And it sounds like you've really built, like, a really intentional approach, not just around prioritizing risk, but also, you know, ensuring that your business has bought in and, is really aware of what's at stake. How I mean, like, where have you seen the biggest improvements in reducing risk this year? And, you know, we've talked about some of this, but is there, a particular program or success story that you can share? Yeah. So I I will have to share, generally in this in this use case. You know, we are quite a, you know, we keep a lot of things internal. However, I can share a couple, a couple things. So, the first is that, I mentioned before we have, a lot of executive sponsorship and, support for driving, risk reduction. And I'll give it to our internal marketers. We call it securing the arches as our program. And so we've seen some amazing success in driving risk down across the across the company, and specifically in cloud and and utilizing the Wiz platform. I will say that we also had a a very unique approach, or a unique opportunity, bestowed on us this, this last year. We, announced a strategic partnership with Google, about a year ago. And as part of that, we are looking to migrate workloads from, our cloud environments into, into Google Cloud. So since this is greenfield for us, my team and I have had the, the responsibility of of standing up both a platform and pipeline to, enable security by design by default. So they've done an amazing job, learning a new platform, you know, building out new muscle when it comes to, pipelines and enforcement mechanisms, and, and it's, it's been a very rewarding experience. So we're looking forward to, what the future brings us there, and, the lessons learned we'll get out of out of, out of that program. For sure. And, you know, I I think that's a really great example, especially the focus on secure by design and, you know, kind of having those campaigns, like, talks a combination reduction. But I I think that, you know, proving impact can be quite tricky. How do you approach measuring cloud risk across the organization and showing the progress that you're making over time? Sure. So we take two, two lenses to, communicating, the impact of reducing risk. We have, you know, organizational wide, very broad strokes type views, and then we have what we call our golden nuggets. So for you, this would be your critical workloads. So for our organizational, you know, approach, we take, industry standard frameworks, and we, you know, measure risk against those. We do scorecardings. We gamify, you know, how we, communicate how well teams are doing in particular areas, and we do it by security domain. We also do campaigns. So we'll do, let's say Apache Tomcat had a vulnerability. We'll go do a a campaign focused around around that if it's a high risk. Or if it's like a, you know, Code Finger, was a, ransomware attack vector that was recently announced. We'll go through and drive some risk reduction work, tied to to new threat back, threat vectors as well. For our golden nuggets, our critical assets, we take a, I guess, a more detailed approach using the same broad strokes, but we're diving layers deeper. So we want to understand, you know, how data is being, stored, how it's being processed, what systems have access to it that are within the account, outside of the account, making sure that the business processes are in step with the technical, controls, business controls. Just making sure that we have, you know, our our t's across and our and our our i's dotted when it comes to how we operate those those critical assets. How we actually measure the success. So we're doing all the standard KPIs that I think most most cloud teams are adopting. But what we're also looking at is how we're enabling the business. So a lot of our measures around how long does it take us to stand up a new service? How long does it take us to harden the service? Are we continually making it easier for developers to deploy compliant resources? And, you know, are we when we learn and we have a detection, are we driving true positives in our detections? Are we taking those, true positives and and, you know, tying those back to automated remediations or preventive controls as part of our our lessons learned in our our life cycle of, of those types of, of of workflows and processes. For sure. Are you, are you leveraging AI or any, automation or advanced workflows with addressing cloud issues? Yeah. Be beyond the standard, like, how you would, you know, improve your day to day, job when it comes to how you organize and stuff like that, We are actually deploying AI in a couple a couple different ways. So anything that is highly complex, highly technical, that are that's prone to human errors, we are driving through, AI in order to pull out, key insights and and to make sure that our reviews are are more thorough. So these are things like service hardening, pipeline module, policy as code, entitlement reviews for, you know, human based access or, other principle based access within cloud. Really, the goal is to utilize this to, drive down the complexity, to see things that maybe we would miss as as as humans, and reduce the risk and increase that speed of delivery. It's clear that you're really leaning into automation and AI in a thoughtful way. And I think not just for speed, but for also, you know, accuracy and scale as we see a lot of other customers doing as well. But when it comes to kind of, like, more broad stakeholder engagement, especially with nontechnical leaders, how do you communicate cloud risks in a way that drives action without creating friction or slowing things down? Yeah. So I think, I'm gonna tie this back to being in sales whether you're in when you're in cybersecurity or in IT. I think this really comes back to, have you built trust, and are you able to put it in terms that the business can understand and appreciate? So some some folks that maybe you're early on in that that trust building phase or this is the first time you're meeting them, they're not gonna take your word for it that this is a risk that they need to go address. They they may need to hear some storytelling. You may need to get good at storytelling and saying why this is a problem. You know, maybe another company had a a recent, issue with a a particular misconfiguration or vulnerability, and you can take them through what that did from a business perspective. And then, you know, for the folks that that storytelling doesn't work for, then you go into maybe inviting your red team, your purple team to, show, how maybe this is a a risk or, maybe standing up a game day so that they can learn through hands on. Right? And as you develop these, relationships over time and you build those trust, those conversations become a lot easier because, they're not seeing you you as an impediment anymore. They're seeing you as a business contributor. Don't miss, you know, don't misstep and don't, you know, don't, say you need to complete this by this date or else or don't complete you know? If it's not adding value to the business, you want to tread carefully when we're talking about, you know, building the trust and then driving the right change. And as long as you're doing that, I think at the end of the day, you're gonna be successful when it comes to, working through cloud risk with nontechnical leaders in your organization. Definitely. I think that's a really important point around building trust and, you know, ensuring those stakeholders really do, you know, have that understanding whether we're communicating it or, you know, kind of through a little more of a stick approach with the red team or the purple team. For organizations that are a little earlier in their cloud security journey, how do you recommend that they start if they want to build an effective risk reduction program? Yeah. Absolutely. There's a couple key things. I think prevention, making sure you have the right preventive controls in place, is key day one. And if you are retrofitting, making sure you get them in as early as possible. The reason being is because, you know, if if you are not actively blocking things that you know are bad, you're gonna spend so much time focusing on, remediating those and playing whack a mole, that you're not gonna be able to get to the the more critical or the the more widespread opportunities. So from a preventive control, I think I mentioned before, making sure you've got your your guardrails in place. Use a control tower if you can, because it helps manage drift at scale. Making sure you have a pipeline that supports, the platform controls and has parity with those controls so that you're not causing poor developer experience. Think about ways you can improve the posture of your identity, perimeter, your network perimeter, making sure that you have federated human based access that's least privilege or or role based. From a network perimeter perspective, you know, beyond firewalls, how are you allowing, you know, secure remote administration of of workloads? And are you providing the right level of segmentation based on your business needs, regulatory requirements, between workloads within cloud environments. And then lastly, how are you driving proactive hygiene with teams, making sure they're they're, you know, performing the right duties, the right behaviors when it comes to managing managing cloud, and cloud assets. Once you've got that in place, I think that second prong becomes, how you're driving down risk. In my my world, quality is better than quantity. You can go solve, you know, three, exposed assets that have, critical exploitable vulnerabilities, or you can go solve for a thousand vulnerabilities that are maybe tied to, a a unused kernel, vulnerability. When you balance the two, I think the risk reduction on the critical toxic combinations far exceeds what you're remediating with, you know, with the unused kernel vulnerabilities. So, definitely take your business needs in into consideration. Make sure that you're taking your risk tolerances into consideration. But I would say driving down, quality high, you know, risk based approach to resolving risk is is key to, a early program. I love that, especially around, you know, thinking about prevention and then really focusing on the things that are gonna make the most amount of impact within your environment. And I think we're at our last question here. Looking ahead, what trends do you think will shape cloud risk management over the next few years, and how are you preparing for them now? Yeah. So I think, it's hard to predict cloud. It it's ever changing. It's rapidly changing. I will say there's a couple things, near and dear to to me. You know, there's a data growth explosion of data growth has been just, absurd. Right? I think, IoT in particular, I think is gonna drive some significant growth here in the future. We're already seeing it in industries like the automotive industry, in appliances, home appliances, consumer electronics, and that data is going somewhere. Right? So there's there's definitely gonna be a need to take into consideration how you're securing that data. So from a confidentiality perspective, from an integrity perspective, and an availability perspective because we're often now tying that data to business drivers, revenue drivers. So making sure that, you're you're driving the acceptable use of that data and you're securing it appropriately. And then when you no longer need that data, making sure that we are life cycle managing it out of existence. The other one that's that's near and dear is, SaaS tooling. So I think we're gonna see a significant shift in, folks like on this call, accepting the risk of static credentials in in cloud, and SaaS providers. There are still a number of providers out there that are relying on long lived access, overprivileged access to your cloud environments in order to provide value. And that's gonna that's gonna change, and it's already starting to change. So driving down, privilege just so what's needed to secure the value that the tool is going to be delivering, as well as, reducing the those static credentials for being long lived to, short lived session based, tokens. Awesome. Thank you, John, and, thank you everyone who joined us today. John, again, thank you so much for sharing such a thoughtful and transparent look into how McDonald's is managing cloud risk at scale. I think we're going to transition into QA now. So if you haven't already dropped your questions in, we do have a few minutes. And I think our first question is in from Pranav. How do you build the baseline security for multi cloud as a preventive control? So kind of tying into exactly what you've been speaking about today. And how are you using cloud native policies and security groups? Yeah. So, there's many different approaches to solving the same problems. I think in in our world, at least, in in my world, it's ensuring that you have the right baseline foundations in place for that identity solution. So using a, making sure you're enforcing MFA, all all the basics before you get to that cloud. Right? Once you're building for the actual controls within the clouds themselves, you have to make a decision. Are you going to be, obfuscating it, forcing it, through a a code code first approach, or are you able to use native solutions in order to achieve these outcomes? If you do use the native solutions, you're kind of doing three different controls that are all doing the same things, but they may be coded a little bit differently based on the uniqueness of each of those cloud platforms. So, obviously, the more the more clouds you're in, the more, the more, I would say, risk, the more work is gonna be to deploy those those, controls and maintain those controls, over over time. So, yeah, I think the second part of that question was, the use of cloud native policies and then security groups. So, yes, we're we're doing a balance of both. I hinted at it in this this chat that we have many different teams and consumers of our clouds internally. We have folks that are, a % code code based using Terraform to deploy their app, you know, deploy their infrastructure. And we have folks that are that are still, reliant on ClickOps or reliant on a centralized team to do those deployments. So we're we're taking a, a mixed approach to to solving those problems both natively and, through through other means. Awesome. Alright. I I think we have, an another question in the chat, from Oliver. How does Wiz and your CMDB work together from a security point of view? Yeah. Luckily, I'm I I do not have to, solve the problems of CMDB and asset management, but I know that Wiz is a, a key contributor, a key data source to, to that team achieving achieving those outcomes. So, like any good, platform, they have we have multiple data sources, but, Wiz has proven to be, an exceptional high quality data source with a lot more contextual data than I think those teams are typically used to getting, into that asset management and and and CMDB table. I'm not sure I'm I'm I'm the right person to talk more about about that, but, I'll I'll leave that, that answer there. Okay. And then I I think maybe we have time for one last question. What are some useful tips in influencing business teams to understand the need of remediating vulnerabilities in in a timely manner? Yeah. I I think everybody struggles with this. Right? I think, if you put your your, yourself in their shoes, they are driving significant value for the business. They're focused on feature creation, bug fixes, and, you know, vulnerabilities are not always top of mind for those teams. I think in the right conversations with the the folks that can influence the prioritization of those teams, allocating a percent of their time to fixing security issues if if they if they have them. I think a couple key, you know, that those, security guardians, you know, trying to try to embed someone in their team or take someone from that team and and train them on on why. Maybe do a resource sharing activity where you take one of your engineers and place them on that team, and they'll learn some, some ways that maybe security can help, affect them positively. And then the folk that the folks that are coming back to the security team may maybe, show them, you know, why vulnerabilities are a problem. Have them live a day in a security event and incident response process or have them go through a game day, so that they can see just, just how high risk, a single vulnerability could be or a collection of vulnerabilities can be, especially when we're talking about, you know, assets that have, access to sensitive data or they are, you know, exposed to the Internet. Right? I think that's a those would be the the the methods I would take, building trust with with those leaders to to drive the right outcomes, but using those tools to, to build that trust. I love that, especially around the cross training element. And I think that's it for for for us today. Thank you again for everyone who joined us, and a huge thank you again to Jon for such an open and insightful conversation. If the session sparked any ideas or questions, we'd love to keep the conversation going. But, other than that, thank you again, everyone, and, hope you have a great rest of your day. Thank you. Thank you.